Dupe: Handle multiple sessions from different location

[jonnalley]

User Story

_As an OPRE System Admin, I want to insure that a user can't have a valid session from two sources simultaneously to enact a better security posture.

Acceptance Criteria

• For any singular user account, the originating IPv4 or IPv6 address should be tracked and if during an existing valid session, another authorization is attempted for the same user from a different IP "location", the pre-existing session should be invalidated but the new one should survive and be allowed to proceed.
  (@tdonaworth updated to remove the "how")

---

Tasks

• Make any changes necessary to track an authenticated user's IP address source location as part of active session management
• Build any logic necessary to tear down the pre-existing session to meet the AC mentioned above.

Definition of Done Checklist

• Usability validated
• UI works as designed
• OESA: Code refactored for clarity
• OESA: Dependency rules followed
• Automated unit tests updated and passed
• Automated integration tests updated and passed
• Automated quality tests updated and passed
• Automated load tests updated and passed
• Automated a11y tests updated and passed
• Automated security tests updated and passed
• 90%+ Code coverage achieved
• PR(s) have been merged to main
• Design/tech debt eliminated
• Build process updated
• Documentation updated or added
• Feature flags/toggles created

Additional Context & Resources

• This may be superseded by or related to the control NIST 800-53 rev 5 AC-10 which requires us to have restrictions on concurrent sessions.

[tdonaworth]

Updated the AC to be more generic, as the core need is to ensure we determine the source "location" of an Authentication, and maintain that. "How" we do that is for us to determine and implement, as tracking IP is generally fraught with issues; as there are other ways to determine where a request originated from, etc.

[jonnalley]

This is now a dupe of 664, closing for now